core/modules/rest/src/RequestHandler.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/core/modules/rest/src/RequestHandler.php b/core/modules/rest/src/RequestHandler.php
index 8e0cd74..af006e1 100644
--- a/core/modules/rest/src/RequestHandler.php
+++ b/core/modules/rest/src/RequestHandler.php
@@ -90,6 +90,16 @@ public function handle(RouteMatchInterface $route_match, Request $request) {
       $response = call_user_func_array(array($resource, $method), array_merge($parameters, array($unserialized, $request)));
     }
     catch (HttpException $e) {
+      // In case a response is forbidden for the current user, we must not
+      // convert it into a response, because that would rob
+      // \Drupal\Core\EventSubscriber\AuthenticationSubscriber::onExceptionSendChallenge()
+      // from the opportunity to convert it into a 401 response, to challenge
+      // the user to authenticate.
+      // @see \Drupal\Core\Authentication\AuthenticationProviderChallengeInterface
+      if ($e->getStatusCode() == 403) {
+        throw $e;
+      }
+
       $error['error'] = $e->getMessage();
       $content = $serializer->serialize($error, $format);
       // Add the default content type, but only if the headers from the